<% if domain.multiple_upstreams? %>
upstream <%= domain.upstream_backend_name %> {
    <% domain.upstreams.each do |upstream| %>
        server <%= upstream[:address] %> <%= upstream[:parameters] %>;
    <% end %>
}
<% end %>

server {
    listen <%= domain.port %> ssl;
    <% if ENV['LISTEN_IPV6'] && ENV['LISTEN_IPV6'].downcase == 'true' %>
    listen [::]:<%= domain.port %> ssl;
    <% end %>
    http2 on;
    
    server_name <%= domain.name %>;

    ssl_certificate <%= domain.chained_cert_path %>;
    ssl_certificate_key <%= domain.key_path %>;

    ssl_session_cache shared:SSL:50m;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_prefer_server_ciphers on;

    ssl_dhparam <%= dhparam_path %>;

    # Send HSTS header if configured
    <% if ENV['HSTS_MAX_AGE'] %>
       add_header Strict-Transport-Security "max-age=<%= ENV['HSTS_MAX_AGE'] %>" always;
    <% end %>

    <% if domain.access_restriction %>
        <% domain.access_restriction.each do |ip| %>
            allow <%= ip %>;
        <% end %>
        deny all;
    <% end %>

    <% if domain.basic_auth_enabled? %>
        auth_basic "Password";
        auth_basic_user_file <%= domain.htaccess_path %>;
    <% end %>

    <% if ENV['CUSTOM_NGINX_SERVER_CONFIG_BLOCK'] %>
        <%= ENV['CUSTOM_NGINX_SERVER_CONFIG_BLOCK'] %>
    <% end %>

    <% if ENV["CUSTOM_NGINX_#{domain.env_format_name}_CONFIG_BLOCK"] %>
        <%= ENV["CUSTOM_NGINX_#{domain.env_format_name}_CONFIG_BLOCK"] %>
    <% end %>

    <% if domain.upstream %>
    location / {
        <% if ENV['DYNAMIC_UPSTREAM'] && ENV['DYNAMIC_UPSTREAM'].downcase == 'true' %>
        set $backend <%= domain.multiple_upstreams? ? domain.upstream_proto + domain.upstream_backend_name : domain.upstream %>;
        proxy_pass $backend;
        <% else %>
        proxy_pass <%= domain.multiple_upstreams? ? domain.upstream_proto + domain.upstream_backend_name : domain.upstream %>;
        <% end %>
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        <% if ENV['WEBSOCKET'] && ENV['WEBSOCKET'].downcase == 'true' %>
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 2h;
        <% end %>
    }
    <% elsif domain.redirect_target_url %>
    location / {
        return    <%= ENV['REDIRECT_CODE'] || 307 %> <%= domain.redirect_target_url %>$request_uri;
    }
    <% else %>
    location / {
        root   <%= domain.www_root %>;
        index  <%= ENV['INDEX_FILES'] || 'index.html' %>;
    }
    <% end %>
}
